Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
SQL Programming
Lecture 5
1 February 2015
SQL Programming
1
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
Outline 1. General Approaches 2. Typical programming sequence 3. Examples
1 February 2015
SQL Programming
2
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
General Approaches • SQL via API • Embedded SQL
– SQLJ • DB Programming Language
– PL/SQL, T-SQL • Hybrid
– MS Access, Filemaker
1 February 2015
SQL Programming
3
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
SQL via API Most common approach, access database functions via library
1 February 2015
SQL Programming
4
PreparedStatement stmt = conn.prepareStatement( "SELECT LASTNAME" + " , FIRSTNAME" + " , SALARY" + " FROM EMPLOYEE" + " WHERE SALARY BETWEEN ? AND ?" ); stmt.setBigDecimal( 1, min ); stmt.setBigDecimal( 2, max ); ResultSet rs = stmt.executeQuery(); while ( rs.next() ) { lastname = rs.getString( 1 ); firstname = rs.getString( 2 ); salary = rs.getBigDecimal( 3 ); // Print row... } rs.close(); stmt.close();
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
Issues with Accessing SQL via API • Impedance mismatch
– Object-relational mapping • DBMS abstraction layer • Cursors • Injection attacks
1 February 2015
SQL Programming
5
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
Impedance Mismatch
In this context, refers to several issues that arise when OO language interacts with RDBMS
– Differences in data types – Query results as row/column – Limited compile-time error detection w.r.t. SQL
1 February 2015
SQL Programming
6
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
Object-Relational Mapping (ORM) Common technique to convert between incompatible systems (e.g. OO objects and RDBMS rows/columns)
1 February 2015
SQL Programming
7
part = new Part(); part.name = "Sample part"; part.price = 123.45; part.save();
INSERT INTO parts (name, price) VALUES ('Sample part', 123.45);
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
Database Abstraction Layer • Most database systems have native APIs for several
programming languages
• To ease software development, there are database abstraction efforts – Libraries: JDBC (Java), PearDB (PHP), Sequel (Ruby) – Middleware: ODBC
• Varying degree of abstraction from DBMS/SQL
• Works well for many applications; can harm efficiency and/or access to DBMS-specific functionality
1 February 2015
SQL Programming
8
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
Cursors • Libraries typically offer two types of access to
query results (i.e. result set) – All at once (e.g. in an array/data structure) – Row-by-row
• The latter may be required for larger results, typically facilitated by a cursor data structure (can be thought of as a pointer to a single row within a larger set, similar to iterator) – Library may optimize for access patterns
(e.g. read-only, forward-only, etc)
1 February 2015
SQL Programming
9
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
SQL Injection Attacks ala XKCD
1 February 2015
SQL Programming
10
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
Preventing SQL Injection • Whenever user inputs interact with SQL, sanitizing
is a vital security concern – Parameterization API
• Use prepared statements (or stored queries); bind value via function call, API automatically escapes appropriate to DBMS
– Value escaping API • Make sure string to be appended is properly quoted to
prevent unintended leakage
• Principle of Least Privilege – Database user should only be allowed to access/
change what is absolutely necessary; optionally use different users for different classes of operation
1 February 2015
SQL Programming
11
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
Embedded SQL Insert [typically prefixed] code directly into source; compiler auto-generates DBMS-specific code
1 February 2015
SQL Programming
12
vs.
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
DB Language (SQL/PSM) Store Procedures
1 February 2015
SQL Programming
13
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
Typical Programming Sequence 1. Connect to DBMS
– URL, database name, user/pw, driver – Sometimes persistent for performance
2. Arbitrary interactions – Transactions via SQL
3. Close the connection
1 February 2015
SQL Programming
14
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
Query Sequence
1. Generate SQL – Could be static or composed of algorithmic/
user-contributed parts
2. Execute
3. Get results
1 February 2015
SQL Programming
15
Wentworth Institute of Technology COMP355 – Databases | Spring 2015 | Derbinsky
Prepared Query Sequence 1. Generate parameterized SQL
– Could be static or composed of algorithmic parts (typically nothing user-contributed)
2. Bind values to SQL parameters – Could be static or algorithmic/user-contributed
3. Execute
4. Get results
1 February 2015
SQL Programming
16